Reverse-engineering SSNs from publicly available data

Computer scientists at Carnegie Mellon University have figured out how to predict Social Security numbers from publicly accessible birth data with frightening accuracy. The researchers analyzed a public information source known as the "Death Master File," which includes birth data and SSNs for people who have died. The scientists found that in many instances, if you know the date and state in which a person was born, you can deduce their SSN.

With just two attempts, the researchers correctly guessed the first five digits of SSNs for 60 percent of deceased Americans born between 1989 and 2003. With fewer than 1,000 attempts, they could identify the entire nine digits for 8.5 percent of the group.

There's only a few short steps between making a statistical prediction about a person's SSN and verifying their actual number, Acquisti said. Through a process called "tumbling," hackers can exploit instant online credit approval services -- or even the Social Security Administration's own verification database -- to test multiple numbers until they find the right one. Although these services usually block users after several failed attempts, criminals can use networks of compromised computers called botnets to scan thousands of numbers at a time.

"A botnet can be programmed to try variations of a Social Security number to apply for an instant credit card," Acquisti said. "In 60 seconds, these services tell you whether you are approved or not, so they can be abused to tell whether you've hit the right social security number."

29 Responses to “Reverse-engineering SSNs from publicly available data”

1989 is an important limiting factor in this process. Before 1989 you only needed to get a SSN once you had a job, and paid taxes. After ’89 all dependents claimed on taxes needed a SSN, meaning that children were issued them when born, and hence the connection between birthdate and SSN.

Amazing! Yet another reason why SSNs should not be used for anything other than Social Security business. It is a convenient and easy way for institutions to verify your identity but fatally flawed. Credit card companies, banks, and everybody except the SSA should stop using them immediately as employers are starting to do.

Any credit card company which give the wrong person a credit card in your name simply because they know your SSN should be held liable for any damage they do to you.

I agree with you about SSN not being used for anything other than Social Security. However, the flaws with a SSN is really a flaw with any all-in-one method of recording identity.

Back in the day, this wasn’t an issue, because people’s identity was verified by the community. For example, back in the day when you wanted a loan from your local bank, instead of them doing a computerized credit check they wanted a recommendation from a good standing member of the community… or, social services where provided by local private charity who knew most of the people they served, as opposed to a national bureaucracy that serves hundreds of millions via telephone and mail.

Identity theft is the price we pay for easy credit in the private sector, and for socialism in the public sector. Those things would not be possible without some highly centralized (and therefore, vulnerable) method of ID. Unless people want to give up their their easy loans and credit cards, and people want to give up their government entitlement programs, identity theft is just something we are going to have to live with. Some technological improvements can be made to make something like SSN more secure… but at the same time as we become more and more dependent on big centralized institutions, both centralized financial services provided by multinational corporations, and big centralized socialism, the incentive to steal identities will grow bigger.

I prefer small, decentralized institutions, both in business and in government, any would be willing to give up the benefits of centralization… but that is clearly a fringe concept, and most American and people around the world would not want that.

most universities and colleges i’ve been to assign student id numbers upon admission (in sequential, non-randomized form). most forms at these places ask for the student id number, but you can find older forms hiding within the institution which ask for SSN. most things related to money (finaid, tuition, or student work) ask for SSN, but are being switched over. this is my experience, anyway.

My card was stolen along with my murse. In 1976. I lived without it until 1998, when a new job required it. I just went down to the SS office and told them it was lost. I didn’t mention the 22 years part of the story. I think that I had to bring a copy of my birth certificate.

Well, I’ve suspected this for years: one of my best friends in high school was born on the same day in the same hospital as I was, and we noticed our SSN’s were practically sequential (and we were born well before 1989. . . or did we coincidentally apply for cards on the same day as teens?)

I recall many years ago, David Brin compared how we handle SSNs with how we handle usernames and passwords. The difference is that we seem to treat the SSN as both username and password at the same time. Clearly it’s a username – it’s a unique identifier. But just as clearly, it’s not a password. That’s the problem.

From the article: According to information privacy experts, Social Security numbers were never meant to be used for authentication purposes, and using them as passwords puts all consumers at risk for identity theft.

I returned to the same university after a twelve year absence. As an undergrad, our student ids had ssns on them! Now all uses of ssn have been replaced with the student id, but they still need the ssn, so I’m sure there’s a db somewhere that ties them together.

My late father delighted in telling stories of how bad things were. Kind of a chicken-and-egg thing with him and talk radio. Anyway, he took my youngest brother to the SS office downtown, circa 1984 (heh), to get the lad a card so his wages from his first job could be taxed.

Turned out that my brother’s birth certificate was not sufficient, but other documents, e.g., a library card (!) or a postmarked letter addressed to him (!!) would work. Mildly frustrated, Pop took him to the downtown library, where all he had to do was to point to his parents’ entry in the telephone book to get the library card.

My dad loved the next part, because he could actually foment rage in others with it. When they returned, they not only had to stand in line even longer, but the 58-year-old WWII veteran had to endure a parade of non-English-speaking adults brandishing letters with common names on the To: line getting SSNs. When he noticed the same letter being passed between applicants, he became so enraged that the security guard very nearly ejected him from the office.

Fortunately, my brother got his card and had a lovely summer working retail at the mall, thereby motivating him to excel in school.

[ in a burst of supremely random irony, the story I’ve told happened in our home town of San Antonio, Texas–and I’m laughing at the captcha “the alamo” … wherever you are, Dad, I hope you can laugh about this one, too ]

I thought this was common knowledge. I wonder why the sudden fuss. It’d be nice if this were the opening salvo in a push to decouple your SSN from … well, everything except your Soc Sec account really.

Just an historical note, it wasn’t until fairly recently that you had to request a SSN within one year of your child’s birth to be able to claim the tax deduction. When I was born (in the mid-sixties) it wasn’t unusual for SSN requests to be delayed for years after birth, making this “prediction” harder.

I’ve known this since 1987. I worked at the admissions office in college, and did a study which involved SSNs, and noticed the pattern described above. It also helped that my parents were born 5 days apart in the same area of Wisconsin, and their SSNs are identical up until the last two digits. What’s odd is my father’s SSN is a higher number than my mother’s, yet he’s the older of the two.

When I was in graduate school, and in classes of 12 students, where exam results were posted by student ID number (which, back then was the SSN), I one afternoon told everyone their grades as we were geographically diverse enough that determining which SSN belonged to whom was a trivial exercise. People really got scared of me being able to do that, but I explained how the first 3 digits identify where you applied for the number.

Like Mr Fantasy, when I was in college (at the University of Virginia), one’s student identification numbers was one’s first initial followed by one’s SSN. (Of course, in those days the Virginia DMV used SSNs for one’s driver’s license number as well.) By the time I got to grad school, a memo had gone around instructing professors to mask this info before posting class schedules and grades — by taking a felt-tip marker and drawing it through the two-digit column in the middle of the IDs. I don’t *think* the ID was printed in the student phone directory, but without a doubt, in a box somewhere back at the old homestead, I’ve got printouts from classes I took or TAed that list dozens of name/SSN pairs.

Personally, I guard against identity theft by having shit credit — but given the Virginia gentlemen and US presidential offspring and grand-offspring who were my classmates, I suspect not everyone is as well-protected as I.